Hello,
I am configuring an ELK stack and would like to use filebeat to read in zeek logs. Below is a snippet of my filebeat module configuration:
# cat /etc/filebeat/modules.d/zeek.yml
- module: zeek
capture_loss:
enabled: true
var.paths: ["/var/log/zeek/capture_loss.log"]
connection:
enabled: true
var.paths: ["/var/log/zeek/conn.log"]
dce_rpc:
enabled: false
dhcp:
enabled: true
var.paths: ["/var/log/zeek/dhcp.log"]
dnp3:
enabled: false
dns:
enabled: true
var.paths: ["/var/log/zeek/dns.log"]
dpd:
enabled: false
files:
enabled: true
var.paths: ["/var/log/zeek/files.log"]
I would like to add a tag to all the outputs from this module using an environment variable something along the lines of:
input:
processors:
- add_tags:
tags: [ "${SOURCE}" ]
target: "pcapSource"
How would I go about configuring this?